STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

DISA Rule

SV-216744r531087_rule

Vulnerability Number

V-216744

Group Title

SRG-NET-000205-RTR-000002

Rule Version

CISC-RT-000140

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below.

RP/0/0/CPU0:R3(config)#ipv4 access-list EXTERNAL_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)#25 deny icmp any host x.11.1.2 fragments log

RP/0/0/CPU0:R3(config)#ipv4 access-list INTERNAL_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)#5 deny icmp any host 10.1.12.2 fragments log
Note: Ensure the above statement is before any permit statements for ICMP.

Check Contents

Review the external and internal ACLs to verify that the router is configured to drop all fragmented ICMP packets destined to itself.

ipv4 access-list EXTERNAL_ACL_INBOUND
10 permit tcp host x.11.1.1 eq bgp host x.11.1.2
20 permit tcp host x.11.1.1 host x.11.1.2 eq bgp
25 deny icmp any host x.11.1.2 fragments log
30 permit icmp host x.11.1.1 host x.11.1.2 echo
40 permit icmp host x.11.1.1 host x.11.1.2 echo-reply
50 deny ipv4 any host x.11.1.1 log
60 permit tcp any any established



140 deny ipv4 any any log
!
ipv4 access-list INTERNAL_ACL_INBOUND
5 deny icmp any any fragments
10 permit icmp any host 10.1.12.2 fragments
20 permit ospf host 10.1.12.1 host 10.1.12.2
30 permit tcp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq ssh
40 permit tcp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq tacacs
50 permit udp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq snmp
60 permit udp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq ntp
70 deny ipv4 any host 10.1.12.2 log



110 permit ip any any

Note: Ensure the statement to deny ICMP fragments is before any permit statements for ICMP.

If the router is not configured to drop all fragmented ICMP packets destined to itself, this is a finding.

Vulnerability Number

V-216744

Documentable

False

Rule Version

CISC-RT-000140

Severity Override Guidance

Review the external and internal ACLs to verify that the router is configured to drop all fragmented ICMP packets destined to itself.

ipv4 access-list EXTERNAL_ACL_INBOUND
10 permit tcp host x.11.1.1 eq bgp host x.11.1.2
20 permit tcp host x.11.1.1 host x.11.1.2 eq bgp
25 deny icmp any host x.11.1.2 fragments log
30 permit icmp host x.11.1.1 host x.11.1.2 echo
40 permit icmp host x.11.1.1 host x.11.1.2 echo-reply
50 deny ipv4 any host x.11.1.1 log
60 permit tcp any any established



140 deny ipv4 any any log
!
ipv4 access-list INTERNAL_ACL_INBOUND
5 deny icmp any any fragments
10 permit icmp any host 10.1.12.2 fragments
20 permit ospf host 10.1.12.1 host 10.1.12.2
30 permit tcp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq ssh
40 permit tcp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq tacacs
50 permit udp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq snmp
60 permit udp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq ntp
70 deny ipv4 any host 10.1.12.2 log



110 permit ip any any

Note: Ensure the statement to deny ICMP fragments is before any permit statements for ICMP.

If the router is not configured to drop all fragmented ICMP packets destined to itself, this is a finding.

Check Content Reference

M

Target Key

4029

Comments